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Improving the Control Strategy in two-way deterministic cryptographic protocols 

Anita Euscbi^^G and Stcfano Mancini^'L] 
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We introduce a new control strategy on a two-way deterministic cryptographic scheme, which relies 
on a suitable unitary transformation rather than quantum measurement. The study is developed 
for d-ary alphabets and the particular choice of the transformation works when d is an odd prime 
power. It leads to an improvement of the protocol security, which we prove to increase with the 
alphabet order d. 
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I. INTRODUCTION 



The pioneering protocol for Quantum Key Distribution (QKD) is known to be the BB84 [l| . This allows two remote 
parties (Alice and Bob) to share a secret key by a unidirectional use of a quantum channel. It has a probabilistic 
character, that is, on each use of quantum channel, the sender (Alice) is not sure that the encoded symbol will be 
correctly decoded by the receiver (Bob), 
i-^ I In the last decade a new generation of protocols has been introduced realizing QKD processes in a deterministic 

way [2|-|6[. In this case Alice is sure about the fact that Bob will exactly decode the symbol she has encoded. Another 
^ , important feature of the protocols defined in [3|-l6| is the bidirectional use of the quantum channel. 
d ' As much as like extensions of BB84 to larger alphabets have been developed [7|, |8| , there is a number of works 

p~ |. extending the deterministic protocols proposed in [J, |5| to higher dimensions, in particular for a tri-dimensional 
alphabet |9 |, | l Ol|. for a continuous infinite-dimensional alphabet 11| and for d-ary alphabets with d prime power 
dimension [12[. 

'►-j^ , In all these cases the security of the protocol is guaranteed by a control process, which amounts to perform quantum 

fSl ' measurements by Alice and the subsequent comparison on the public channel of bases used by Alice and Bob. 



CN I In this paper, by considering the general two-way deterministic protocol proposed in [12[, we suggest a new strategy 

, ', for the control process. More precisely, we show that it can be realized by a suitable unitary transformation as well. 



Moreover, we study the same powerful eavesdropping attack as in 12| on the forward and backward path of the 
^i-v . quantum channel and we obtain an improvement of the security performance. In particular we show that the security 
(^ [ of the protocol increases in terms of the alphabet order d. 

Finally, we also address the issue of Quantum Direct Communication (QDC) [3|, Il3l4l5j and see that in this case 
the optimal dimension is d = 3. 
k^ " Our protocol is based on Mutually Unbiased Bases (MUB) (161420 ] . so it generally works for prime power dimensions 

5_j ■ d. But our new strategy of control is valid for only odd prime powers, then we limite our work to this case. 
C^ , 

II. THE PROTOCOL 

Let us consider a qudit, i.e., a d-dimensional quantum system, and indicate with T-Ld the associated Hilbert space. 
A set of orthonormal bases in Hd is called a set of Mutually Unbiased Bases (MUB)jf the absolute value of the inner 
product of any two vectors from different bases is l/yd (the MUBness condition) |12l. ll6l4l9l |. 



At the present, no example of maximal set is known if the Hilbert space dimension is a composite number, otherwise 
it is known that there exists a maximal set of d -|- 1 MUB in Hilbert spaces of prime power dimension d ~ p™ with p 
a prime number and m positive integer 16l4l9l|. 
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Here, we focus on this case and from now wc denote the d + I MUB of Hd by \v^), with k = 0,1,. . . ,d and 
t — 0,1, . . . ,d — 1 labehing the basis and the vector in it respectively. 

Let us denote a; the p-th root of unity e^^^^^. Hence, we choose {|t'°)}t=o,....d-i as the computational basis and use 
the explicit formula given in |2C| for MUB's vectors to express the vectors of any other basis in the following compact 
way: 

_. d-l 

|„fc) = ^a;e«®*(a;('=-^)®'?®'?)^|v°) with k^l,...,d and i = 0, 1, . . . ,rf - 1 . (1) 



This expression satisfies the MUBness condition for d any prime power, both even and odd (see Appendix in 12 1 
for the even case). However, in the following we make use of ((T]) only in the case of odd prime power dimensions. 

In this context, we deal with the Galois field G = F(p'") of d elements, according to its mathematical properties. 
Notice that finite fields with d elements exist if and only if d is a prime power. In particular, wc denote by ©, 
and Q respectively the addition, the multiplication and the subtraction in the field G. Usually, an element of G is 
represented by a ?7i-tuple {go,gi, ■ ■ ■ ,gm-i) of integers modulo p. According to this representation, © corresponds 
to the componentwise addition modulo p (this is a direct consequence of the fact that, for all finite fields oi d ~ p™ 
elements, the characteristics of the field is exactly the prime number p). 



Following 20[, we identify G with {0, 1, . . . , d — 1}, paying attention to distinguish the operations in the field from 
the usual ones. Namely, we identify {go,gi, ■ ■ ■ ,9m-i) with the integer g ~ X)n=o dnP'^ ■ This allows us to consider 
the vector label t in |u^) as an element of G and to write lo^ with g £ G (notice that in this way we have ut^ ~ uj^°). 



As in 12], we consider Bob sending to Alice a qudit state randomly chosen from the set {\vt)}^lQ'"''d^i of MUB. 
Then, whatever is the state, Alice has to encode a symbol belonging to a d-ary alphabet A = {0, . . . , d — 1} in such a 
way that Bob will be able to unambiguously decode it (notice that the alphabet A can be identified with the Galois 
field G). Besides encoding Alice has to perform a control process to guarantee the security of the protocol. 

A. Encoding process 



As in [12|, we consider the unitary transformations Vq for a £ A, defined by 



V,^\v^)^L.''^'^\v^), (2) 

which can be regarded as the generalized Pauli Z operators. 

Such operator Vq realizes the same shift on all the bases but the computational one, that is for fc > 0: 

V " q=0 

Then, Alice encoding operation will be the shift operation realized by this operator Vq for a £ A. In such a case. 
Bob receiving back the state I^'^qq) can unambiguously determine a by means of a projective measurement onto the 
fc-th basis. In fact, he will get the value 



b = tea, (4) 



from which, knowing t, he can extract a. 



B. Control Strategy 

Here, we propose an innovative way of realizing the control process to guarantee the security of the protocol. Instead 



of the usual quantum measurement [12| , we introduce the control by means of a unitary transformation applied by 
Alice. Such an operator should realize a permutation of vectors within each basis, to allow Bob a reliable data 
gathering, but not cyclic shift, to differ from the encoding. 



A unitary transformation W, satisfying such conditions, can be defined as acting on the computational basis in the 
foUowing way: 

W\v',) = \v'^,). (5) 

Then, for each other basis k, with fc 7^ 0, we have: 

W\v^) = ^y c.e'?0*(c,(^-i)©«©«)^M^|„O) = ^y ,,«©*(,,(fc-i)0(e^)©(e^))4|„O) = |„|J . (6) 

That is, W performs the Galois field opposite for each basis {k ~ 0, . . . ,d) as follows: 

W\v^)^\vl,,). (7) 

Notice that this transformation satisfies the condition above indicated, only when d is an odd prime power dimension. 
In fact, for d = 2™ the W operator reduces to the identity , which is not acceptable. It seems reasonable to suppose 
that it does not exist any transformation of this kind when d is a power of 2, and moreover that W is the only kind 
of operator with the required properties when d is an odd prime. 



C. Description of the protocol 



Then, the protocol runs as follows: 



1. Bob randomly prepares one of the d^ qudit states |w^), with k = 1, . . . ,d and i = 0, . . . , d — 1, and sends it to 
Alice. 

2. Alice, upon receiving the qudit state has two options. 

a) With probability c 7^ 0, she performs a control by applying the unitary operator W {Control Mode). She 
then sends back to Bob the resulting state. 

b) With probability 1 — c, she encodes a symbol a € ^ by applying the unitary operator Vq (Message Mode). 
She then sends back to Bob the resulting state. 

3. Bob, upon receiving back the qudit state, performs a measurement by projecting over the basis to which the 
qudit state initially belonged. 

4. At the end of the transmission, Alice publicly declares on which runs she performed the control mode and on 
which others the message mode. It is important to remark at this point that Alice does not announce the 
bases because she did not perfom any measurement. For noiseless channel and no eavesdropping. Bob will have 
obtained the qudit resultant from the action of W operator in the control mode runs, while he will have got the 
encoded symbol a in the message mode runs. 

III. SECURITY OF THE PROTOCOL 

At first, we consider the most elementary of individual attacks: the Intercept- Resend. Suppose Eve, to learn Alice's 
operation, performs projective measurements on both paths of the travelling qudit, randomly choosing the measuring 
basis. She will steal the whole information for each message mode run, indipedently from the chosen basis. 

However, in each control mode run, she can guess the correct basis (the same of Bob) with probability 1/d, and 
in this case she is not detected at all. If otherwise Eve chooses the wrong basis, which happens with probability 
(d— l)/d, she still has a probability 1/d to evade detection. The last is exactly the probability that a vector belonging 
to the wrong basis by chance will be projected back to the correct vector of the original basis by Bob's measurement. 
Then, this means that Alice and Bob reveals Eve with probability (d— l)^/d^, which is greater than the result found 
in Ei. 



Now, we are going to evaluate the security of the protocol against a more powerful individual attack, already 
discussed in 12|. It is known that, quite generally, in individual attacks Eve lets the carrier of information interact 
with an ancilla system she has prepared and then try to gain information by measuring the ancilla. In this protocol, 
she has to do that two times, in the forward path (to gain information about the state Bob sends to Alice) and in the 
backward path (to gain information about the state Alice sends back to Bob, hence about Alice's transformation). 
Moreover, by using the same ancilla in the forward and backward path. Eve could benefit from quantum interference 
effects (see Fig. [1]). 

As proposed in [13], the attack is described as controlled shifts C{Vq}i^a '■ 'Hd'Si'Hd — >■ T~Ld®T~Ld, where the controller 
is the traveling qudit while the target is in the Eve's hands, and it is defined as follows: 



C{Vo'}(eA, 



Ovt'^K 



K)Ket:i 



(8) 



We remark that, in this definition, the controller as well as the target states are considered in the dual basis for the 
sake of simplicity. Other choices (except the computational basis) will give the same final results. 
Then, we consider Eve intervening in the forward path with {C{Vq}i£a)^^ , defined by 



I 111 1 1 (C{V„},gA) I 1 , Qtj I 1 



I «t\) 1^^20(0*1)) = kt\)l"t\©tl)> 



(9) 



and with C{V^}iiza in the backward path. 
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FIG. 1: The scheme summarizing our protocol. Labels B and E stand for Bob's and Eve's qudit systems respectively. Label A 
denotes Alice's operation on Bob's qudit. (C{Vo};6a)^^ and C{Vo};gA represent the eavesdropping operations on the forward 
and backward path respectively. 



A. Message Mode 

Now, let us analyze in detail the transformations of the quantum states on an entire message mode run. 

Attack on the forward path. 

The initial Bob state is one of the (P states | vf ), with k — 1, . . . ,d and t = 0, . . . ,d—l. Then, Eve initially prepares 
the ancilla state \vq)£ in the dual basis and performs the controlled operation. Hence, we get 



I fc\ I 1\ iC{Vo}ieA) \ 



d-1 



d-1 



E(^^i«')i"^)ei«o)£-E(^'^i^'')i^'^)«i«'')^ 



(10) 



h=0 



h=0 



Encoding. 

The Bob's qudit state undergoes the shift Vq with a E A, then from ([TU)) we get 

d-l 



/i=0 



^E(«^l«')l^^ea>B|«^>£. (11) 



Attack on the backward path. 

The state pT|) undergoes a CfVpl/g^ operation, hence we have 

, d-l d-1 

Finally, Eve measures her ancilla system by projecting in the dual basis, according to the chosen initial ancilla 
state. 

We notice that the controlled operations performed by Eve, as well as her final measurement, left unchanged Bob's 
qudit state. Hence, Bob's measurement by projection in the fc-th basis to which the initial state belonged, always 
allows him to obtain the symbol a Alice has encoded [see ([4])]. 

On the other hand. Eve gets |w^) with probability 1 as the result of her measurement. Therefore, she is able to 
exactly determine the encoded symbol a as well and she steals the whole information, quantified in bits, 

/£=l0g2d, (13) 

on each message mode run. 

B. Control Mode 

We would like to evaluate the probability P^ Alice and Bob have to reveal Eve on each control mode run. The 
situation is different for fc = 1 and fc 7^ 1, due to the Eve's choice of using the dual basis for her ancilla. 

1) For A; = 1, on the forward path with probability 1/d we have: 

I 1\ I 1\ (C{^o}iE^) , I 1\ I 1\ ri A\ 

\Vt)B\Vo)£ > \Vt)B\Vt)£- (14) 

Then, Alice applies her control strategy: 

\vl)s\vl)e ^ \vlt)B\vl)s. (15) 

On the backward path it happens the following: 

\vht)B\vl)s '-^^^ \vet)B\vle(et))£ = \vht)B\vlt)£- (16) 

Notice that t©i = 20i = 2t from to p - 1, while t®t = 2t^2Qt from p forward being 2 < p. 

It results that Eve's attack does not alter the Bob's and Alice's vectors, hence Bob, upon his final measurement, 
will get Qt with probability 1. Then, Bob does not outwit Eve's attacks: 

^£ = 0. (17) 

2) For fc = 2, . . . , d, on the forward path with probability [d — l)/d we get: 

\v'i)B\vl)e = Y.{vlH)\vl)e\vl)e ^''^'^°^""^'^ Y.^vl\v't)H) r^K) ^ . (18) 



Then, Alice applies her control strategy: 

d-l d-1 

Y.{vi\v^)\vl)B\vl), ^ Y.(^l\v^)\'^l,h}s\vl)s 



h=0 



h=0 



On the backward path it happens the following: 



J2{vi\v^)\vhh)B\vi) 



C{Vo'},6A, 



d-1 



d-1 



J2(''h\vt)Kh)BKQ(^Qh-^)£ = J2{vl\v'^)\vl,h)B\v'2h)e 



(19) 



(20) 



h=0 



h=0 



h=0 



Notice that \vli^)£ ~ |u20/i)£ ^'^^ 2 < p, that is in G = F(p™) of characteristic p > 2. 

In conclusion, the index in the sum is also present in the Eve's ancilla, so the Bob's and Eve's states result 

entangled. Then, 

d-1 



Pe = 



(21) 



Pf 



(22) 



In summary, from the two above analized cases, we conclude that the probability for Alice and Bob to outwit Eve 
on each control mode run is 

'i^ n I ('^-^\ d-l _{d-lf 
.d. 

where 

• \/d is the probability with which Bob and Eve use the same basis (that is the dual basis for k — 1); 

• is the corresponding probability of Bob revealing Eve; 

• (d — l)/d is the probability of Eve choosing the basis for ancilla is different from Bob's choice of basis for the 
initial state \v^) (then any basis but the dual one, that is fc 7^ 1); 

• (d — l)/d is anagously the respective probability of Bob outwiting Eve. 

Notice that this quantity is largely greater than the analogous obtained with control strategy based upon measure- 



ment in 12[. Essentially that happens because here the probability Pf is no longer conditioned to the probability 
that Alice and Bob measure in the same bases (this would implicate an other factor 1/d). In fact, only Bob perfoms 
a measurement (at the end of path) and he knowns what is the correct basis over which to project (that is the one to 
which the initial qudit state belonged). 

The behavior of Pg as fuction of the order d of the alphabet is shown in Fig. [2] It can see that the probability Pg 
of revealing Eve in each successful control mode run increases towards 1 by increasing the dimension d. Thus, the 
efhciency of the whole control process increases accordingly to it. 
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FIG. 2: The probability Ps versus the dimension d (bars correspond to odd prime power numbers). 



IV. CONCLUDING REMARKS 



111 this paper, we have rivisited the deterministic cryptographic protocol o f_[l2| which represents a generahzation 
to a d-ary alphabet of the bidirectional quantum cryptographic scheme of \^]^ . Here we have introduced a control 
strategy based on a suitable unitary transformation rather than quantum measurements. The latter gave an optimal 
d = 3 for the security. Now it results that the quantity of information that Eve can steal is the same as [l2| , but the 
probability Ps to outwit Eve increases in terms of the alphabet order d, that is the larger is the alphabet the higher 
is the security. 

As a consequence of the deterministic nature of the protocol, this can be also used for Quantum Direct Communca- 
tion (QDC) between legitimate users |3l. Isl. Il2l4l5| . that is when Alice and Bob (after authentication) communicate 
directly the meaningful message without encryption. Notice that for this kind of communication only an asymptotic 
security can be proven. 

Hence, if we assume that Eve wants to perform her attack on each message mode run, without having been detected 
in the previous control mode runs, then the probability is given by following geometric series: 



(1 - c) + c(l - P£)(l -c)+ c2(l - Psf{l - c) 



1-c 



1 - c(l - Ps) 



(23) 



Thus, being Ig the quantity of information that Eve eavesdrops in a single attack, the probability that she success- 
fully eavesdrops an amount of information / is 



1 



I/Is 



1 - c(l - Ps) 



(24) 



with Is and Ps given in p^ and (P^ respectively. 

In Fig. [3] we have plotted the quantity of (|24p . with c = 1/2, versus the number n of bits stolen by Eve without 
being outwitted for different alphabet order. It is interesting to observe that such a probability, as a function of /, 
increases slowly and slowly with the alphabet order. 
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FIG. 3: The eavesdropping success probability as a function of the maximal eavesdropped information decreases faster by 
increaing d. It is plotted for different dimensions, from bottom to top d = 3, d = 5, d = 7, d = 9, d = 11, . . . , d = 49. 



In this case the probability for Alice and Bob to detect Eve before she can eavesdrop a fixed amount of information, 
that is the complement of probability in (|24p . is maximal for d = 3. Notice that the optimal dimension depends on 
the specific task of the protocol (QKD or QDC). 

We believe that this work might offer new interesting perspectives for deterministic cryptographic protocols, in 
particular it could stiinulate further studies about the optimal control strategy. 
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